amark / gun

An open source cybersecurity protocol for syncing decentralized graph data.
https://gun.eco/docs
Other
18.16k stars 1.17k forks source link

WebCrypto does not work on `http` & SEA redirects to `https` automatically #992

Open Jack-Works opened 4 years ago

Jack-Works commented 4 years ago

https://github.com/amark/gun/blob/97aa976c97e6219a9f93095d32c220dcd371ca62/sea.js#L39

  ;USE(function(module){
    var SEA = USE('./root');
    try{ if(SEA.window){
      if(location.protocol.indexOf('s') < 0
      && location.host.indexOf('localhost') < 0
      && location.protocol.indexOf('file:') < 0){
        location.protocol = 'https:'; // WebCrypto does NOT work without HTTPS!
      }
    } }catch(e){}
  })(USE, './https');

Please don't jump to https automatically! This is a library, not an application, you should not do things like this.

Also, you forget to check 127.0.0.1.

Finally, the correct way to detect if WebCrypto is available is window.isSecureContext, https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext

amark commented 4 years ago

👍 isSecureContext that is a good one.

I agree with the sentiment but we have a nasty problem:

Everybody tests locally then deploys to production, if it isn't on http everything goes "kaboom" silently, dev may never notice cause they always go to https but users don't always.

We've caught at least 3+ major incidents as a result of forcibly redirecting, the worst thing that happens is complaining "why" here, but not redirecting leads to massively silently broken sites. If somebody doesn't have https certs then this unavoidably notifies them. A console.log etc. warnings are not good enough, they go unseen 90%+ of the time.

Any other alternative options?